control/limit users to search or view the data stored in specific directories
What I am trying to achieve is
limit "user 1" to search the data stored in "Directory 1" only and "user 2" to view/search "Directory 2" only
What I did is similar to http://answers.splunk.com/questions/6195/is-it-possible-to-use-macros-to-restrict-search-terms
(1) create two new indexes, say I1 & I2 (2) splunk stop; splunk clean eventdata; splunk start; login as admin (3) create two new roles R1 & R2, assign I1 to R1 as the selected search index (the last configuration in the creating a role) and similarly assign I2 to R2. (4) create two new users U1 & U2, assign U1 (U2) as role R1 (U2) (5) manage data inputs --> file & directory --> add directory D1, and set the index I1. Similar handled D2 and I2.
If logged in as U1, index I2 did not show in the summary page. However, I can still put "index=I2" in the search bar to see the data indexed by I2 (essentially the data stored in directory D2). Anyone could help which is the problem?
I did check authorize.conf which located in "\Splunk\etc\system\local", it reads ""
importRoles = user
rtSrchJobsQuota = 0
rtsearch = enabled
srchDiskQuota = 0
srchIndexesAllowed = c5only
srchIndexesDefault = c5only
srchJobsQuota = 0
If I logged as one user assigned role "c5viewer," I can only see data indexed by c5only in the search summary page. But I can still retrieve data indexed by r2only (a different index) if putting
in the search bar. The results come with all the data indexed by "r2only"
Any thoughts what can be the issue?
It sounds like it had you configure the Indexes Searched by Default. If you go into the role config, you should be able to specify Available Search Indexes. Do you see any indexes listed there? You can also look for srchIndexesAllowed in authorize.conf. You may also need to restart splunk (killing all user sessions and re-reading config files) to get it to take effect.